Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
19/04/2024, 14:44
General
-
Target
http://206.188.197.218:8000/
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Downloads MZ/PE file
-
Modifies file permissions 1 TTPs 1 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://206.188.197.218:8000/"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://206.188.197.218:8000/2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.0.1414386871\519881683" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b44d2df-7354-44d7-a76f-8ef1cb6b5e66} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 1496 1b8b670ed58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.1.652204741\745424130" -parentBuildID 20230214051806 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2387ace6-d91f-48e2-8d27-85f379947dfb} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 2412 1b8a998a258 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.2.1731958594\2106689268" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c50f1766-8876-4c83-9502-c2050323d2c9} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 2924 1b8a9978a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.3.631937231\1551175032" -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da1434d0-f6e7-4da0-a438-41e26b1640f0} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 3676 1b8bb2c3858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.4.1014958287\1959216382" -childID 3 -isForBrowser -prefsHandle 5128 -prefMapHandle 5112 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faeb08e5-e0b9-49b4-9ec8-ad9b9b819fc8} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 5136 1b8bd498b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.5.2061405732\840341592" -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6ed6f3c-f431-4234-8ff6-430cfdfc1366} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 5372 1b8bd49b558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.6.1053194830\712443995" -childID 5 -isForBrowser -prefsHandle 5516 -prefMapHandle 5280 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2bb42ae-7058-45ef-af12-7baa7291c9d2} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 5508 1b8bd499a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.7.1273063057\676077060" -childID 6 -isForBrowser -prefsHandle 5980 -prefMapHandle 5976 -prefsLen 27737 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93a1b3ba-2c36-46fa-a937-3e72066134cc} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 5988 1b8bddd9e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.8.636996850\444780596" -childID 7 -isForBrowser -prefsHandle 2768 -prefMapHandle 2792 -prefsLen 28002 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {371e465a-68a4-45fe-bbbf-1f3eae34f412} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 5012 1b8b562b558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4256.9.1964291231\2094021126" -childID 8 -isForBrowser -prefsHandle 6288 -prefMapHandle 6292 -prefsLen 28217 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07de401e-a9c2-4c7f-b26b-7edb9ddb87d1} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" 6328 1b8bbfa9e58 tab3⤵
-
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\cobaltstrike.jar"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD52e59a94e3b3811c3728abbd785e0ef9e
SHA1e84dad9ebd9f9e8398dc86007c1cc81db4681cca
SHA256fa257211136df4ebd6acce098aaf241638428e7b4ba957c3ccbb799227ee882f
SHA51297c0fa44fa95efb218a9f5d838faab4aabb3c1c2a69b031e72f576a35748fd49f11534a5b752092f62e40ef49758c22752aac9d17bdddbc6b6383c3cb15882d0
-
Filesize
22KB
MD5693b914a283a5113d7d8537af1a76e07
SHA1fb7974f90fc462b5040dcfeac37a74689f16f83e
SHA256e58cdb53aba2ec5d39a53d7369c2465659f371e08456e6e32cb037d41d1ef324
SHA5121b90907c97c157356cf178ee2601e6facb335f08e9eb880b06e10b6147e4847538c1d1fa0f7af826a407f265950b70502293120ec02d656aaa05bad39731e4d4
-
Filesize
7KB
MD581a5adbae10a1edb4c3da9d7d1655da0
SHA18e7fd2e8536b3c1015e93526f3651d8b36206ddd
SHA2568749a77ef62a0910f7b5c0776e9a761b242416a69954b48672170891a9e0c750
SHA51274a9ee8656986e61ee26db6ee3166a9b411c407d14585fd9340b52bd718e252ae547e4bd4f658028e3ffb5af6443c19d38a1a98b584b85708a32304ce92b6790
-
Filesize
7KB
MD520a614514503f3810c4811920942d05a
SHA1f7fd45ab295daac8e56042896743a7f6fbfd23cd
SHA2566f56ccc6bc916d7440914563ea7bee80e334b6cf01864ef8231d37bb90a5765f
SHA512d596f34747fdf401bbb0c6256c9efd809857ff3e428ce7e8374fb590016879dc7d58b641f456965d6d32117526794810e354a782bdde495ad75e27ac70dfedbe
-
Filesize
7KB
MD579bf6143d91acea69c2b305374ad788d
SHA1fb44cc90cb7a9b9c222811f56ef2ffe78d476fd2
SHA2560d40c5ccd8a8b4daa9cd743510f58eda13fff2e95b068ee4439e3db3b0babee1
SHA5122a52a87129168230004f98d1c6c03952cb9f7d8dc037b045a4540566455c43039685b26cae5916d65c250fff535a17efd5b9c98d4ad6cbd549a2d3dce5f99f69
-
Filesize
1KB
MD550eae2a32dc3604429ba59a01b17c5d6
SHA15e6d8d800a0c1ffd2239bf7631580aa5b7b36c27
SHA25672636f8960b18ee3a398e8e5045dd2eb269198b289a4720422b460a2219142bf
SHA51218105999d7f5f5e231b1298cd2d86a670fe76d858148295ccde10bf8c59479cbd2d655d95b778e849217f8789764ad6690245f5380149f4878ee0be7dc4b8016
-
Filesize
1KB
MD5fcfdb9896c51065290e8c816cad0f4a4
SHA126511b733939d6a5bac39b4db892e574fd71b6d2
SHA25631741ccf3fce06b06236a1e1d62ff1846abcc2ddb1811b9b4b69f4baa29f7918
SHA5124bc916f83615e9b8df587f32a8e94a764707f9c45b436bd83337e88a2a264bdc7f2731e2b63f8356f8c926a2ecca4828c15656a660ed5ddfcf36c6bb6dce7955
-
Filesize
1KB
MD521f81d21031c2d69425999c51154181f
SHA1d2ce5e1dd03fb2ae2db011502405575a2e35f21c
SHA256297b18a034886cca90fe729f30b6eafc2e95df523803981adc77a359af3a58c4
SHA512f99c2ad1d80cf39ea0203d01619822f725a661b2ab49b5b6ff4aee219f0790a47f2530b229bcb8cbcab3ba674cae516446c4b955b0ba3bf23261dbfb6badae48
-
Filesize
1KB
MD52c357155f2efe7fbbee63610826fac85
SHA174fb489c432ce4d679e3690bc1149145cb6e630f
SHA256244e5d92e130d14b235823f69059bc76c1d906f1e8ada39017e7ea8ecfcd1975
SHA5124045c4b42db26d7a375f720f6ce0e37ca4aaa9bbb9070485a7a37b4c94dc6e4d0bff617abd218a66d4170a5812c30508fb69efd7c717a773124f214229ddb79f
-
Filesize
11KB
MD52411b9f3ba8faf4737e454c78f9b30d6
SHA15af5c51f289e2c51a4844d9490cb383e6ea47c16
SHA25644615b9e85b9e3a1ebb01ee888850661079d37efaf09675061bf330b3df1c7f5
SHA512836e990b47084cb52560cf94cd128318e656f35a6f3f0b12198d243dfad6c9d0eb5d4cba05605029a24b16935a649e751780737ae7fde86e5b00e1b9d5a67620
-
Filesize
32.3MB
MD504e0a11be59147a8d73d2b3e9fea832c
SHA1bb0815f6b7f1e9549526452d0727a54a2fe89b89
SHA256a5e980aac32d9c7af1d2326008537c66d55d7d9ccf777eb732b2a31f4f7ee523
SHA512e1e741b351709265e9e800412f184b9f00148f636e6dc433ec7895532057dba2436973aa59fc6d38d04fc48a779b8db0774d4160228552a2d02463d6946bb7c2
-
Filesize
1.3MB
MD529efd64dd3c7fe1e2b022b7ad73a1ba5
SHA1e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69
SHA25661c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1
SHA512f00b1ab035aa574c70f6b95b63f676fa75ff8f379f92e85ad5872c358a6bb1ed5417fdd226d421307a48653577ca42aba28103b3b2d7a5c572192d6e5f07e8b3
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
4KB